Thank you, Mr. Chair and committee, for having me here today.
I'm here on behalf of the Information Technology Association of Canada. ITAC is the national voice of Canada's information and communications technology sector. There are over 37,000 ICT firms in Canada, employing almost 600,000 Canadians.
The ICT industry is uniquely positioned to provide comments on CASL. The industry includes telecommunications, online, and IT companies that are both on the front line fighting against spam and spyware and dependent on electronic messaging and the installation of computer programs as core elements of their businesses.
While the legislation under review is commonly referred to as CASL, or Canada's Anti-Spam Legislation, it's important to consider the full objectives, as stated in section 3, which are:
to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct
(a) impairs the availability, reliability, efficiency and optimal use of electronic means...
(b) imposes additional costs on businesses and consumers;
(c) compromises privacy and the security of confidential information; and
(d) undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities
While spam is part of it, the central goal of the legislation is really to promote and grow the digital economy and to encourage businesses and consumers to embrace electronic means of communication and commerce.
The idea is to clear the pipes of junk so it's easier and safer for everyone. The interests of the ICT industry are very much aligned with these public policy goals. However, to date, there is little objective evidence that CASL has led to either a decline in malicious forms of spam or an increase in confidence in electronic commerce. We do know that phishing, ransomware, and other cyber-threats remain very prevalent and we know that enforcement of CASL by the CRTC has largely been against legitimate companies, with an absence of targeted enforcement against true malicious spammers or other bad actors. We also know that CASL has imposed substantial administrative costs on businesses across the country.
CASL is complex and confusing, with highly prescriptive rules, heavy fines, and aggressive enforcement by the CRTC. Organizations of all sizes need to devote considerable resources to understanding the rules and maintaining compliance. It is so complex that CASL consulting has become an industry unto itself, which is certainly an unintended consequence of the legislation.
Confusion breeds risk aversion, and the experience of our members has been that CASL discourages Canadian businesses from innovating or adopting new technologies. Enforcement actions by the CRTC only exacerbate this aversion, which creates a chill in the industry without providing useful guidance so that other companies can avoid the same mistakes.
In addition, the often overlooked computer program provisions have created risks to consumers by inhibiting companies from installing updates to protect against emerging cybersecurity threats. While the regulations include limited deemed consent exceptions, they do not go far enough, and ultimately they undermine the legislation's objective of making consumers more secure.
The software provisions are especially unworkable when we consider the quickly emerging Internet of things, as Michael mentioned. Many software-controlled devices coming into our homes and workplaces have no user interfaces, and the global companies that design and sell them often have no direct relationship with the consumer, which makes CASL compliance extremely difficult.
To address CASL's unintended consequences and to help it meet its stated objectives, ITAC proposes five themes to guide amendments.
First, the justification for CASL has been articulated as targeting damaging and deceptive spam, spyware, malicious code, and other threats. Amending CASL so that it targets only these harmful activities would go a long way to addressing CASL's unintended consequences. This can be accomplished by narrowing the definitions of three terms: computer program, commercial electronic message, and electronic address. In ITAC's written submission, we will include outlines of specific proposals regarding how we think these definitions should be narrowed.
Second, the circumstances in which express consent is not required should be expanded. CASL combines prescriptive express-consent rules with narrowly drafted exceptions. This combination creates complexity and rigidity that make compliance exceptionally difficult and costly when compared to compliance with anti-spam laws in other jurisdictions, such as the United States or Australia. Amending CASL to include an implied-consent principle, similar to Canada's privacy law, PIPEDA, would help to remove the unnecessary regulatory burden created by CASL.
Third, we should make CASL less complex and rigid. Canadian businesses should not require a lawyer to determine whether they're in compliance with CASL. CASL's overly prescriptive rules, including the rules governing requests for consent and the content of messages, should be replaced with general principles, similar to Canada's privacy law. By following the approach found in PIPEDA, businesses will be free to innovate in how they communicate specific information to consumers, and the CRTC, the Office of the Privacy Commissioner, and the Competition Bureau will have room and flexibility to provide guidance.
Fourth, CASL should be amended so that businesses in Canada are on a level playing field with competitors in other jurisdictions. The computer program provision in CASL should not apply, for instance, to programs installed on devices in another jurisdiction if the installation does not violate the law in that jurisdiction. Further, the red tape and regulatory burden caused by CASL's prescriptive rules should be minimized and, where appropriate, harmonized across borders.
Last, as mentioned previously, the private right of action, which combines broad standing to sue and statutory damages, creates the perfect conditions for frivolous class actions against legitimate businesses. Minister Bains was wise to defer its implementation earlier this summer. To avoid the significant costs to both the court system and industry, the private right of action should be repealed, or at the very least restricted to have standing only for organizations like networks and ISPs who bear the direct costs of spam, spyware, and other online threats.
Thank you. I look forward to your questions.